DigiCert – Empowering Digital Trust in the Quantum Era with Future-Proof Security Solutions and Collaborative Leadership

Amidst the digital landscape’s complexity, one company stands out for its unwavering commitment to simplicity and security: DigiCert. DigiCert emerged with a clear mission—to redefine digital security by putting people first.

In a world where online transactions often evoke anxiety, DigiCert recognized that security should alleviate worry, not exacerbate it. The journey began with a simple realization: digital security shouldn’t be cumbersome or laden with technical jargon. It should be accessible, intuitive, and above all, focused on real people facing real challenges.

Today, DigiCert stands as the digital trust provider of choice for leading companies worldwide. The company’s suite of digital trust solutions, which include high-assurance TLS/SSL, PKI, IoT, and signing, empowers individuals, businesses, governments, and consortia to navigate the digital realm with confidence.

Timothy Hollebeek, Industry Technology Strategist of DigiCert, spoke exclusively to CIO Bulletin about how his company is simplifying and safeguarding digital footprints, continuing to pave the way for a more secure and user-centric online experience.

Interview Highlights

Q. From a high level, tell us what DigiCert does and what inspired DigiCert to address the specific challenges quantum computers will present when operational?

DigiCert provides digital trust for customers using connected technologies, ensuring secure and verified interactions. The company utilizes asymmetric cryptography for internet security. However, the advent of quantum computers threatens to compromise these cryptographic methods. While quantum computers are not yet widely available, their anticipated future presence necessitates the development of new cryptographic methods. These emerging methods, currently undergoing standardization, will rely on complex mathematical problems that quantum computers cannot solve. This preemptive approach exemplifies DigiCert’s response to the challenges posed by quantum computing.

Q. How does DigiCert leverage cross-industry collaborations to drive innovation and address diverse cybersecurity needs when addressing post-quantum computing?

DigiCert operates across various industries, leveraging cross-industry collaborations to drive innovation and address diverse cybersecurity needs. The company collaborates with competitors, partners, and software vendors to establish minimum security standards that propel technology forward. DigiCert participates in numerous global standards development groups, including the Internet Engineering Task Force (IETF), where it co-chairs the group handling all PKI and certificate-related issues. The company is also involved in a new post-quantum in protocols (PQUIP) group that standardizes information about the post-quantum transition and contributes to the National Institute of Standards and Technologies’ (NIST) National Cryptographic Center of Excellence PQC transition Project, ensuring their software is compatible with software produced by other cryptographic engineers worldwide.

Q. We’re in an industry that tends to see a lot of hype. How real is the threat that quantum computers pose to security overall?

The threat posed by quantum computers to security is indeed very real, despite appearing as mere hype. Since the 1990s, quantum computers have been known to break RSA and elliptic curve cryptography. Although no one knew how to build one then, recent years have seen significant advances in quantum computing technology, with current models approaching the size and speed needed to defeat existing internet cryptography. The threat is not a question of ‘if’ but ‘when’. Considering previous simpler cryptographic transitions took over a decade, this upcoming transition — the most complex upgrade of internet security yet — will likely take considerable time. It’s crucial to get it right.

Q. What would a quantum cyberattack look like from your perspective?

A quantum cyberattack could manifest in two primary forms. The first is known as “Harvest Now, Decrypt Later.” Intelligence agencies could currently record internet traffic containing information that will remain sensitive in the future, such as long-term secrets or personal data like social security numbers. This data could be decrypted and exploited once quantum computers are available. Therefore, upgrading protection using quantum-safe technologies as soon as possible is vital.

The second type of attack involves forging digital signatures with quantum computers. The same weaknesses in asymmetric cryptography that affect communications also impact digital signatures. Attackers could forge these signatures to present illegitimate software updates as authentic, potentially leading to widespread security breaches. This includes manipulating the firmware of laptops, network devices, and more to appear as if they came from a legitimate software vendor when they’re actually from an attacker.

Q. How far are you suggesting we are away from a full-blown cyberattack involving quantum computers?

Estimates suggest we could see a full-blown cyberattack involving quantum computers anywhere from 5 to 15 years from now, although predicting the future with precision is challenging. The progression of quantum computing technology has been faster than expected, with qubits doubling every year for about six years. The current challenge is error correction, ensuring stable communication between thousands of qubits for long enough to solve problems. However, machine learning is remarkably effective in correcting qubit errors, with projects from institutions like DARPA and Harvard leading to more stable commercial quantum computers than anticipated. Consequently, we might need to replace our current security measures within only 5 or 10 years — a significant concern considering that quantum-safe technology is still in the design and development stages.

Q. How is the industry as a whole doing today in preparing for this risk?

Many organizations, particularly at the executive level, require a deeper understanding of the risk posed by quantum computing. Therefore, the initial step is to raise awareness about this imminent threat and emphasize the necessity for an upgrade plan. While technologies to counter this risk are not yet fully ready for deployment, they are expected to be within the next six to 12 months, with numerous products and technologies poised to emerge.

Organizations need to prepare by gaining awareness of their specific risks, compiling an inventory of their cryptography to identify what requires replacement, and establishing crypto agility. They should also ensure that their digital assets are safeguarded using existing best practices and possess management and automation software that enables the rotation of new cryptographic methods.

Such management software is presently available, and organizations should implement it now to ready themselves for deploying more advanced cryptographic methods later this year and into the next.

Q. What can we expect from DigiCert in terms of innovation and advancements in the field of digital security? And are there specific areas the company aims to explore or pioneer?

DigiCert is taking a cautious approach to technology, closely following standards and ensuring that their designs and implementations are vetted by leading experts in cryptography and security. The company actively participates in discussions about the development of top-notch standards. Currently, DigiCert’s offerings focus on helping customers explore and discover the best techniques for their environment, rather than pushing products that may still need to be fully matured or ready.

DigiCert strongly supports post-quantum technology and is working diligently to ensure its proper integration into protocols like TLS and S/MIME, as well as other internet security protocols currently used to protect data. The aim is to avoid having to ask people to replace things multiple times.

Given the limited timeframe for the transition to quantum-safe security, it’s critical to get it right the first time to avoid missing the deadline. This underscores the importance of collective effort in ensuring a smooth transition.

Q. What inspired you personally to investigate quantum computers and the impact these could have on security?

With a background in encryption and key management for 15 years, and computer security for 25 years, I already had a solid foundation in the field. However, my interest in quantum technologies runs even deeper. My father was a physicist, and I spent time conducting quantum chemistry research at Princeton University long before I entered the field of security.

I never anticipated that these two fields would intersect, but now that they have, I find myself uniquely positioned to understand both the quantum mechanics and computing side, as well as the public key infrastructure and cryptography aspects. I’m thrilled to be able to contribute to addressing this significant problem, ensuring our communications remain secure as we transition into the quantum era.

Q. Is there anything else you want us to highlight that we might’ve missed?

While we’ve covered a lot, one area we didn’t discuss thoroughly is the importance of discovery and automation. Digital certificates are ubiquitous in today’s world, used for signing documents, securing TLS connections, signing emails, or deploying software. Practically every piece of software and device used for secure communication relies on cryptography.

Managing this vast infrastructure of security certificates at scale poses a significant challenge. Many companies struggle with managing their existing certificates, and the need to replace all of them with quantum-safe versions will be a monumental task. Without a professional solution capable of handling this at scale, most organizations are likely to encounter difficulties.

It’s crucial for businesses to ensure their management of existing digital assets and security measures is up to date. If this area has been neglected, it’s important to bring everything up to modern best practices. Failure to do so could make the transition to post-quantum security far more challenging than necessary.

About | Timothy Hollebeek

With over two decades immersed in computer security, Timothy Hollebeek brings invaluable expertise, notably honed during his eight-year tenure spearheading pioneering security research under the auspices of the Defense Advanced Research Projects Agency. As the Industry Technology Strategist at DigiCert, he serves as the linchpin in various industry standards bodies, such as the CA/Browser Forum, where he tirelessly advocates for the advancement of pragmatic information security measures aligned with practical implementations. Rooted in a background in mathematics, Timothy dedicates significant effort to exploring security paradigms in the realm of quantum computing.